Packet mode and host-inbound traffic

Did you know that if you enable packet-mode in traffic interface of an SRX box,
host inbound traffic isn’t allowed anymore? Device can still process transit traffic
but inbound traffic won’t work. For example, apply a filter like below to an interface
and try to SSH to IP 98.1.1.1, you shouldn’t be allowed.

#show interfaces
ge-0/0/2 {
    unit 0 {
        family inet {
            filter {
                input inet-packet-mode;
                output inet-packet-mode;
            }
            address 98.1.1.1/24;
        }
    }
}

# top show firewall
family inet {
    filter inet-packet-mode {
        term 10 {
            then {
                packet-mode;
                accept;
            }
        }
    }
}

If you are wondering why: Documentation says that host-inbound traffic is only allowed
if it is sent to flow daemon for inspection.

PS: You can selectively exclude local IP from packet mode but here I just want to show the behavior change.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “Packet mode and host-inbound traffic”

  1. Great information… thanks! Here’s a good workaround:

    policy-options {
    prefix-list router-ipv4 {
    apply-path “interfaces unit family inet address “;
    }
    prefix-list router-ipv4-logical-systems {
    apply-path “logical-systems interfaces unit family inet address “;
    }
    prefix-list router-ipv6 {
    apply-path “interfaces unit family inet6 address “;
    }
    prefix-list router-ipv6-logical-systems {
    apply-path “logical-systems interfaces unit family inet6 address “;
    }
    }
    firewall {
    family inet {
    filter inet-packet-mode {
    term 5 {
    from {
    prefix-list {
    router-ipv4;
    router-ipv6;
    router-ipv4-logical-systems;
    router-ipv6-logical-systems;
    }
    }
    then accept;
    }
    term 10 {
    then {
    packet-mode;
    accept;
    }
    }
    }
    }
    }

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading